[Dnsmasq-discuss] dnsmasq forwarding queries over VPN/IPSec
Simon Kelley
simon at thekelleys.org.uk
Mon Sep 28 16:12:47 BST 2009
Ken Bantoft wrote:
>
> On 28-Sep-09, at 11:03 AM, Simon Kelley wrote:
>
>> Ken Bantoft wrote:
>>> Hi,
>>> I've run into a case where I'd like dnsmasq to forward queries over
>>> an IPSec VPN tunnel to nameservers on the far side, but this doesn't
>>> seem to work as expected.
>>> I've got 2 Interfaces - br-lan (192.168.1.1) and ppp0 (PPPoE -
>>> 216.x.x.x). IPsec is terminated on the same machine, so it has a
>>> tunnel from 192.168.0.0/24 to 10.0.0.0/8.
>>> dnsmasq is set to forward all queries to 10.x.x.10 and 10.x.y.10
>>> nameservers, which are across the tunnel in the datacenter. What
>>> I'm seeing with tcpdump is the requests going out the ppp0
>>> interface, with the 216.x.x.x IP address. I've tried a variety of
>>> options (bind- interfaces, listen-address), as I really want dnsmasq
>>> to bind only to the br-lan interface, and use that address as the
>>> Source IP for the forwarded queries, but no combination I've tried
>>> does the trick.
>>> Any suggestions?
>>
>> Stop dnsmasq from looking for servers in /etc/resolv.conf with
>>
>> no-resolv
>>
>> in /etc/dnsmasq.conf and then specify them using "server=" lines in
>> /etc/dnsmasq.conf like this
>>
>> server=10.x.x.10 at br-lan
>> server=10.x.y.10 at br-lan
>>
>>
>> We've been here before....
>
> That was my 1st step... so I do see it sending the requests to 10.x.x.10
> and 10.x.y.10 as expected - just out the wrong interface...
>
>
> Ken
>
>
>
If this a routing problem? Dnsmasq can control the source address of the
packets, and the destination address is straightforward, but it can't
control how the kernel routes the packets: do you have a route to
10.0.0.0/8 via the tunnel?
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list